by Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice
In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.
We have become aware of an ongoing fraud scheme that initially was targeting Western European companies but appears to have emerged in the United States. The scheme involves social engineering and email spoofing, wherein the fraudster assumes the identity of a senior company executive and targets an employee from that same company, often someone in accounting or accounts payable.
The victim employee initially receives an email from the “fake president” concerning a highly confidential transaction, sometimes related to an acquisition. The communications often stress both urgency and the need for confidentiality. Recipients of these emails may also be directed that subsequent communications be directed to the “president’s” personal email, that of the president’s attorney, or both. They subsequently receive instructions by telephone and/or email containing bank routing, account number and account holder information to which the fake president needs a wire transfer to be sent.
The schemes about which we are aware have each involved accounts in Hong Kong, but this scheme could involve accounts in any foreign jurisdiction. In some instances, these schemes involve a single fraudulent wire transfer, but in other instances they may keep it going until and unless the company realizes it has been defrauded.
These schemes are often effective as a result of the research that the fraudsters have done in advance to identify the company executives and operations, as well as to identify an employee to target. It is believed that the initial target pool centered on EU-based companies because there is detailed information available in the public domain that makes the identification of executives and lower-level accounting or finance employees relatively easy compared to companies that are based elsewhere.
That said, these schemes have characteristics in common with other known and highly successful fraud schemes being perpetrated by criminal organizations. These characteristics include use of spoofed emails, blocked or anonymous phone numbers, offshore bank accounts in less cooperative jurisdictions, and the targeting of wire transfers.
The use of flattery, urgency and confidentiality is also characteristic of such fraud schemes undertaken by organized groups. The fraudster may make statements to lead the targeted employee to believe that the fake president has carefully selected him or her as being worthy of the president’s trust, leading the victim to believe that he or she has the trust of a high-level executive. The resulting excitement may cause the victim employee to ignore any obvious red flags out of misplaced hope that if he or she successfully executes the instructions, it will result in a career boost.
Instilling a sense of urgency is another proven technique in fraud schemes (along with the sale of used cars and health club memberships). Applying time pressure, coupled with the fear of upsetting a very senior executive in connection with what has been described as a highly confidential matter, can cause people to disregard red flags had they taken the time to think about what is happening before it is too late.
What steps can be taken to reduce your organization’s susceptibility to fake president fraud?
- Require telephonic and email confirmation to phone numbers and email addresses from the company directory – do not rely on the requestor’s email instructions.
- Educate your employees about the prevalence of the various social engineering and email spoofing techniques being employed by fraudsters and the red flags to monitor, including non-standard transactions, urgency, confidentiality, offshore accounts and use of wire transfers, and use of personal emails.
- Review fraud controls around wire transfer requests, ensure that those controls are being followed, and ensure that all approvers are aware of the prevalence of schemes targeting companies around fraudulent wire transfers.
- Discuss fraud controls with your financial institutions to see if any enhancements can be made on their end to assist in protecting your organization against wire transfer fraud.